Texas SysAdm Found Guilty of Federal Violations

the_Grinch

I'm currently taking a law course (actual law course opposed to the legal studies courses) on the Computer Fraud and Abuse Act. Seems I started the course and now all of these cases have been popping up. More recently was the case of Michael Thomas out of Texas.

https://www.wired.com/2016/06/texas-jurys-guilty-verdict-worry-admins/

It's very interesting how they went after him and what exactly he did. I'm of the mind that much like the Terry Child's case this gentlemen was correctly prosecuted. The EFF appears to argue that this should be a civil case only, but when you look at what actions he took and the point of the justice system, I can see why they went down the path they did. As IT people we weld a lot of power and sometimes an example has to be made to dissuade the next person from doing the same thing.

Ultimately I don't tend to believe he'll get the full 10 years, probably 28 months.

Verities

[FONT=&quot]From an earlier written article from wired.com:

[/FONT]https://www.wired.com/2016/06/admin-faces-felony-deleting-files-flawed-hacking-law

"Thomas himself quit shortly after deleting the files, leaving a note behind offering his services as an independent IT consultant."

the_Grinch

Yup that was something that stuck out to me. Also, the fact that when he knew he was going to be charge criminally he fled the country.

Verities

Agreed, which is why I don't think they're going to go easy on him. I really wouldn't be surprised if they did both 10 years and 250k in restitution. That guy must have to have a huge ego; to think you can get away with creating that much damage to a business and then turn around to sell services to them.

the_Grinch

Based on previous case law I don't think they'll go for the full 10 years. If I were to guess I suspect something along the lines of 54 months to 60 months. Fines wise they'll probably assess it at whatever the damages amounted to.

fmitawaps

The articles linked above don't really give enough information to make a good decision. I read everything I could find on the Terry Childs case, and while I felt he should have got some sort of minor penalty, 4 years was way overboard.

And in this case, it seems files were moved but not eliminated. These prosecutors like to go all out and make a big deal on things they know nothing about, like IT, just to make themselves look better.

apr911

Well, I certainly see both sides of the argument.

I make it a point to wipe and sanitize the hard drives of my PCs when leaving an employer. Not because I am looking to cause the company trouble but because the lines between "work" and "personal" have become increasingly blurred.

I did not have the opportunity to wipe my hard drives or even go through them with my last employer and I spent 3 weeks revoking certificates and updating passwords for everything and anything I might have signed into while at work. Paid a bill? Check. Checked a bank account balance? Check. Added a code signing certificate or authentication certificate? Check to both. Logged in to any site that uses long session cookies? Check. Use built in password manager or other tools that log you in automatically to certain services? Check.

Its not just a matter of trust so much as I cant protect the loss of my information if I dont know its lost and the company is under no obligation to tell me if my box has been compromised after I've left. Maybe the box gets misplaced or it doesnt get reimaged before being reassigned. Maybe the disc image they made gets stolen or accessed incorrectly. Or maybe the guy at the 3rd party recycling company used to ensure destruction of drives and data isnt as scrupulous as we all thought. If any of the above were to happen, the company would likely find out and be able to determine what data and info may have been leaked and notify affected customers but what about me and my PII? Technically, they could claim no PII should be on the box which is an increasingly difficult thing to avoid.

A company could technically hold me liable because I destroyed "company" property/documents in the process, even though they've been backed up or saved elsewhere on the network.

There's a lot of issue I see there because companies routinely wipe employee computers when they get malware or viruses but if the employee does it well we can sue the employee and prosecute them for computer crimes. In addition, the company in general trusts me to maintain my box which means I delete files on a regular basis from my desktop; including some company files. If I pull down a certificate/key file from the company share onto my device or generate a new one to load on a server, I delete the both files when its been uploaded to the server/loadbalancer. It's a security risk to keep a copy stored locally on my laptop/desktop when its uploaded to the LB and/or server and/or fileshare.

That's why stolen laptops have become such a big issue because someone copies a file with PII or other sensitive information that they probably shouldnt be storing locally and bam a thief now has those files.

So yeah, the idea that I am authorized to reinstall my operating system at will, switch to linux or windows or vice versa at will or delete files on my box at will only to have the employer decide later that I wasn't authorized to do something is a huge leap. I shudder to think all the changes I've made to networks or devices and files I deleted that someone could go back and look at and say "I didnt authorize this" and then have me sued and/or arrested for tampering with the computer system.

Its an extremely slippery slope that gets even more concerning when you consider how many companies will have you work through your notice period.

While this guy's list of actions do sound criminal, I also hesitate to accept the prosecution's word for it...

Combing through executives emails? Ok, certainly not professionally responsible and probably a terminating offense in its own right but I dont see where he deleted any. More importantly why does this guy even have access to the executive's inbox and how do they know he combined through these emails?

Tampering with network error-alert system - Ok again, I can see where this is a problem but who's to say it was tampering? Alerts get turned off/on all the time, especially if as the defense points out, he came in several days prior to deal with a DDOS. I know half the time when I deal with a down issue I disable most of the alerts just to get the system to shut up enough that I can figure out what's happening.

Deleting 615 backup files - What were these backup files? Perhaps they were SQL log backups for t-log shipping? I mean he did just fix a DDOS that weekend during which time those T-log shipping to offsite devices would have likely been getting backed up causing disk usage issues on the servers.

Changing authentication settings that disabled the company's VPN for remote employees - Who's to say this was malicious? I mean yeah, if he made the change and then didnt test functionality then he didnt do due diligence and that's problematic but was it malicious? Was it all remote VPN users or just some? Some authentication changes can impact only subset of users and without the exact authentication changes and his reasoning for making the change its useless to see malice where there may be none... I've made a number of changes on switches and firewalls over the years that have even locked me out and required a reboot of the device to fix so again, is it an error or malice?

Deleting pages from an internal wiki - This is about the only one that I cant see a potential reason behind.

Again Im sure there is more to it and by all rights it sounds like the guy is guilty of committing some ethically dubious acts if not legally but I am reminded of Aaron Swartz and how, even though the supposedly wronged parties (MIT and JSTOR) both decided not to pursue the matter and remained neutral, the US attorney on the case still managed to find a way to charge Aaron with 13 different felonies. I can only imagine what a US attorney could find with the cooperation of an outright hostile entity.

Bottom line, CFAA is a horribly written and overly vague statute that is long overdue for an update.

SaSkiller

[FONT=&quot]and then deleted some files on the way out to say **** you to his boss,” says Ekeland.[/FONT]

That is his defense attorney. He did act with malicious intent. Guilty, next. I have no sympathy for most of these prosecutions. While there are a few like the Swartz case that are legitimate over reach, and the laws need tightening, the vast majority of the time it seems that someone does something they shouldn't and it's more than browsing the web on the employers dime.

cyberguypr

I'm all for playing devil's advocate but in this case the sum of all parts tells the story pretty well:

- "... became upset about a business decision the company made. In retaliation, Thomas granted himself access to the company executives’ email accounts in order to search through emails and forward them to an external email account he created for that purpose."

- "Thomas also tampered with the company paging system by entering false contact information for various company executives, ensuring that any automatically-generated alerts indicating system problems would not be received. "

- "Thomas also removed company employees and executives from email distribution groups created for the benefit of its customers... This ensured that customers’ request for support would similarly go unnoticed.

- "Thomas deleted virtual machines that were currently in active use and being used to store and perform important backup functions. Those deletions were performed contrary to established practices and procedures routinely followed by the company"

- "Thomas manually changed the setting for an authentication service that eventually led to the inability of employees to work remotely through a Virtual Private Network"

- " Thomas admitted to have “tinkered” with the system and specifically to deleting backups and related files, tampering with the door monitoring system, absconding with passwords, and also stating that he thought he broke the law. When later questioned about the incident, Thomas similarly admitted to FBI Agents to deleting wiki pages and spying on company executives’ emails, also saying he didn’t want the job to be easier for the next person"

the_Grinch

PEOPLE v. CHILDS | FindLaw <----You should probably read this as it paints an accurate picture of Terry Childs. He got exactly what he should have.

fmitawaps wrote: »

The articles linked above don't really give enough information to make a good decision. I read everything I could find on the Terry Childs case, and while I felt he should have got some sort of minor penalty, 4 years was way overboard.

And in this case, it seems files were moved but not eliminated. These prosecutors like to go all out and make a big deal on things they know nothing about, like IT, just to make themselves look better.

fmitawaps

the_Grinch wrote: »

PEOPLE v. CHILDS | FindLaw <----You should probably read this as it paints an accurate picture of Terry Childs. He got exactly what he should have.

Yes, I have read that whole thing several times. And as I said before, the prosecutors went way overboard. Childs was a bit childish and stubborn in his theory of not giving up the passwords for job security, but his real mistake was that he didn't get it through his thick head to give up on this idea when it became apparent that he was out of a job no matter what. He kept the secret a few weeks longer, cost the city a ton of money trying to break into his system, and made it worse for himself.

the_Grinch

Have to agree to disagree I suppose. While I will say his direct bosses should never have allowed him to go as far as he did, he clearly didn't have the city's best interest at heart nor was he somehow making it any more secure. The initial stories reported he was "holding out" because they city was not securing their infrastructure properly. Now if that were true, he probably would have garnered some sympathy. But when you read that you see he himself put the city into a situation where an issues could spell disaster. We of course can't convict you of crimes that haven't happened, but he cost the city a lot of money and clearly broke California law.